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DETAILED ACTION 
Remarks 

1 . Pending claims for consideration are claims 1 -37. Applicant has amended claims 
1, 21, 24, and 34. 

2 . Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 
1 .17(e) has been timely paid, the finality of the previous Office action has been 
withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/14/2010 has 
been entered. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1 -37 have been considered but are 

moot in view of the new ground(s) of rejection. 
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Claim Rejections - 35 USC § 102 



The following is a quotation of tlie appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in 
public use or on sale in this country, more than one year prior to the date of application for patent in 
the United States. 

Claims 1-37 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Pub.No.: US 2003/0154380 A1 to Richmond et al (hereafter referenced as Richmond). 

Regarding claim 1, Richmond discloses "a method for protecting the transfer of 
data between a computer and an external device'/process of auttientication and 
autiiorization of users [par.0255]) , "the method comprising the steps of: 
a. receiving, by a module on the computer, a data portion during a data communication 
session between the computer and the external device" (pacl(ets[Fig.15/item 1502] are 
received by networl( entry device [Fig.15/item 1504]) , "said external device 
connected to the computer and communicating therewith via a physical communication 
por\!'(networl( device serving as entry point to communications networic wliere 
network device includes port module [par.0046]) ; "b. analyzing, by said module, the 
data portion according to a protocol associated with the physical communication 
porl " (authentication logic to authenticate identity where the configuration logic is 
operative to configure the port module in response to authentication [par.0047] 
also see rule application logic [par.0048]) ; "c. determining, by the module, based at 
least in part on said data portion analysis, whether a decision on whether to allow the 
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data communication session may be readied, wlierein if no decision may be reached 
on whether to allow said data communication session" (rule application logic 
[par.0048]), "then storing the data portion in a buffer, wherein the buffer is associated 
with the data communication session and returning to step 'a' and waiting for a next 
data portion, and if said decision may be reached, then proceeding to step 'd' 
"(store the relationsiiip iiierarctiy of one or more packet rules [fig.3/item 308]), "d. 
determining, by the module, based at least in part on said data portion analysis, whether 
to allow the data communication session, wherein if said data communication session is 
to be aWowed" (authentication module controls accessing stored user information 
to determine if the identification matches that of received paciiet, and to 
determine assigned role from stored user information if it is determined that the 
stored identification information matches received information [par. 0064]) , "then 
transferring the data portion with data stored in the associated buffer, if any exist, 
toward or from the physical communication port, and if said data communication 
session is not to be allowed, then modifying data transportation related to said data 
communication session'Yport module with port configuration logic to configure 
port module with one or more pacltet rules[par.0046]). 

Regarding claim 2 in view of claim 1 , Richmond discloses "wherein the step of 
modifying the data transportation comprises blocking the transportation" (deny Field 
may store a value indicating whether or not to deny access [par.0131]). 
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Regarding claim 3 in view of claim 1 , Richmond discloses "wherein the step of 
modifying the data transportation comprises modifying the type of the transportation" 
(using deny filed, pacl^et rule may be modified/configured to prevent certain 
users from using particular applications [par.01 31]). 

Regarding claim 4 in view of claim 1 , Richmond discloses "wherein the step of 
modifying the data transportation comprises modifying a status of a requested file" 
(using deny filed, packet rule may be modified/configured to prevent certain 
users from using particular applications [par.01 31]). 

Regarding claim 5 in view of claim 1 , Richmond discloses "wherein the step of 
modifying the data transportation comprises correcting the data according to the 
communication protocol" (network administrator may configure a packet rule 
accordingly [par.01 31]). 

Regarding claim 6 in view of claim 1 , Richmond discloses "wherein the physical 
communication port is selected from a group consisting of SCSI bus, Serial, Parallel, 
FireWire, PCMCIA bus, cellular, fiber channel, Bluetooth, iSCSI, Infiniband, and 
Infrared" (It is known within the art that the port must be that of a parallel or series 
also see [par.0006] which discloses a plurality of physical ports and [par.0005] 
two or more fiber optic cables). 

Regarding claim 7 in view of claim 1 , Richmond discloses "wherein the physical 
communication port is a USB port" {[par.0006] discloses a plurality of physical ports 
capable of). 
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Regarding claim 8 in view of claim 1 , Richmond discloses "wherein the physical 
communication port is wireless'Ywser device maybe connected to the entry port 
module by any of a variety of transmission media including wireless or wired 
based medium[par.0192]). 

Regarding claim 9 in view of claim 1 , Richmond discloses "wherein the step of 
analyzing the data portion further comprising: (i) determining whether additional 
processing based on a higher level protocol is required' ([Fig.13b/item 1324], the 
packet comes to a state to process if the Packet contains a VLAN header) , 
"wherein if additional processing is not required, then continuing at step 'c'" 
([Fig. 13b/step c, also see [Fig. 13c] shows that if additional processing is not 
required step C will forward packet based on vlan header [Fig. 13c/item 1336]) , 
"otherwise continuing at step (ii); and (ii) processing part of the data portion relevant to 
the higher level protocol according to the higher level protocol and returning to step (i)" 
([Fig. 13b/step c, also see [Fig. 13c] shows that if additional processing is not 
required step C will forward packet based on vlan header [Fig. 13c/item 1336]) 

Regarding claim 10, in view of claim 9, Richmond discloses "wherein the step of 
analyzing the data portion comprises analyzing relevant to a higher level protocol that is 
associated with the external 6eV\ce" (port processing logic maybe configured to 
forward configured packet through port connecting medium and port module to 
another destination on the network[par.0249]). 
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Regarding claim 11, in view of claim 10, Richmond discloses "wherein the data 
communication session is associated with an application selected from a group 
consisting of synchronization applications for PDA, Java applications for 
synchronization with cellular phone, backup storage applications, Bluetooth and WiFi 
protoco\s" (types of devices may include but are not limited too PDA's , Blackberry, 
laptops, personal computers [par.0016]). 

Regarding claim 12, in view of claim 1 , Richmond discloses "wherein the step of 
analyzing the data portion is performed in respect of the data stored in the associated 
buffer" (store the relationship hierarchy of one or more packet rules [fig.3/item 
308). 

Regarding claim 13, in view of claim 1 , Richmond discloses "wherein the step of 
determining whether a decision on the data communication session may be reached Is 
performed in respect of the data stored in the associated buifef (authentication 
module controls accessing stored user information to determine if the 
identification matches that of received packet, and to determine assigned role 
from stored user information if it is determined that the stored identification 
information matches received information [par.0064]). 

Regarding claim 14, in view of claim 1 , Richmond discloses "wherein the step of 
determining whether to allow the data communication session is performed In respect of 
the data stored in the associated buffer" (authentication module controls accessing 
stored user information to determine if the identification matches that of received 
packet, and to determine assigned role from stored user information if it is 



Application/Control Number: 10/597,003 Page 8 

Art Unit: 2433 

determined that the stored identification information matches received 
information [par.0064]). 

Regarding claim 15, in view of claim 1 , Richmond discloses "wherein the step of 
receiving a data portion comprises receiving a data portion selected from a group 
consisting of packet and SCSI block" (authentication moduie controis accessing 
stored user information to determine if the identification matches that of received 
pacliet, and to determine assigned roie from stored user information if it is 
determined that the stored identification information matches received 
information [par.0064]). 

Regarding claim 16, in view of claim 1 , Richmond discloses "wherein the step of 
receiving the data portion comprises obtaining the data portion by emulating a class 
driver", i.e. receiving data portion via hardware device driver that can operate 
iarge numtyer of different devices of a simiiar type (switching device, aiso general 
purpose computer which maybe configured to operate as a switching device 
[par. 0006] aiso see multiple program applications inclusive of driver applications 
[par.0026]). 

Regarding claim 17, in view of claim 1 , Richmond discloses " wherein step of 
receiving the data portion comprises obtaining the data portion by emulating a filter 
moduie '^enfry port module maybe configured to apply filtering rules in 
accordance with IEEE 802.1 D based on VLAN specified in the header [par.0205]). 
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Regarding claim 18, in view of claim 1 , Richmond discloses "wherein the step of 
analyzing the data portion according to a protocol associated with the physical 
communication port further comprises: i. parsing the data portion; ii. reassembling the 
data; and ill. analyzing the reassembled 6ata ", (port module with one or more packet 
rules Including user and port configuration logic to configure port module with 
packet rules and an authentication module to determine the assigned role of user 
based on Identification lnformatlon[par.0062\). 

Regarding claim 19, in view of claim 1 , Richmond discloses "wherein the step of 
determining whether to allow the communication session comprises reviewing a security 
policy" (rule application logic [par.0048]). 

Regarding claim 20, in view of claim 1 , Richmond discloses "wherein the step of 
determining whether to allow the communication session comprises examining the 
working environment in which the computer is operating and allowing the 
communication only if said computer is operating in one or more of certain working 
environ mentsYp/iy^/ca/ port receives a packet from a device used by the user and 
rule application logic to apply one or more packet rules to the received packet 
before using any of the network resources of the network device [par.0052]). 

Regarding claim 21, Richmond discloses "a system for -computer protecting the 
transfer of data between a computer coupled to a private network and an external 
device" (process of authentication and authorization of user data [par.0255]), "the 
system comprising: a client agent installed on the computer, the client agent having an 
associated security policy" fipo/t configuration logic to configure the port module 
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with one or more packet rules corresponding to tiie user [par.0046]) ; "a security 
manager communicatively coupled to the private network and operable to associate 
said security policy with the client agenV (autlientication moduie[Fig.15/item1506] 
also see rule database [Fig.15/iem 1514]); "wherein the client agent is operative to: 
obtain at least a portion of a data transfer between a hardware device connected to the 
computer through a physical communication port of the computer" (physical port 
receives a packet from a device used by the user and rule application logic to 
apply one or more packet rules to the received packet before using any of the 
network resources of the network device [par.0052]); "analyze said at least a portion 
of the data transfer according to a communication protocol associated with the physical 
communication port" (authentication logic to authenticate identity where the 
configuration logic is operative to configure the port module in response to 
authentication [par.0047] also see rule application logic [par.0048]); "and determine 
whether the data transfer is allowable based, at least on the analysis of the at least a 
portion of the data transfer and the security policy" (rule application logic [par.0048]), 
"and, if not determining whether the data transfer is allowable, then store the at least 
portion of the data transfer in a buffer associated with the data transfer and wait for a 
subsequent data portion and" (authentication module controls accessing stored 
user information to determine if the identification matches that of received 
packet, and to determine assigned role from stored user information if it is 
determined that the stored identification information matches received 
information [par.0064]), "if determining the data transfer is allowable, then transferring 
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the at least a portion of tine data transfer witfi data stored in tine associated buffer, if any 
exist, toward or from the physical communication pon" (Port module with port 
configuration iogic to configure port moduie witti one or more pacl(et ruies 
[par.0046]). 

Regarding claim 22 in view of claim 21 , Richmond discloses "wherein the 
security manager is operable to verify that the security policy is correct" (autiientication 
moduie[Fig. 15/item1506] aiso see ruie database [Fig. 15/iem 1514]). 

Regarding claim 23 in view of claim 21, Richmond discloses "wherein the 
security policy includes a plurality of rules that at least define limits on data transfers 
during a communication session" (auttientication module[Fig.15/item1506] also see 
rule database [Fig.15/iem 1514]). 

Regarding claim 24 in view of claim 21, Richmond discloses "wherein the 
security policy includes a plurality of rules related to that at least a content of the data 
portion and define the a type of an operation that can be performed during 
communication session" (authentication module[Fig.15/item1 506] also see rule 
database [Fig. 15/iem 1514]). 

Regarding claim 25 in view of claim 21, Richmond discloses "wherein the 
security manager is operable to disable any communication with the computer unless 
the client agent associated with the computer is active" (deny/disable field [par. 01 31]) 

Regarding claim 26 in view of claim 21, Richmond discloses "wherein the 
physical communication ports is selected from a group consisting of SCSI bus, Serial, 
Parallel, FireWire, PCMCIA bus, cellular, fiber channel, Bluetooth, iSCSI, Infiniband, 
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and Infrared" (It is known within the art that the port must be that of a parallel or 
series also see [par.0006] which discloses a plurality of physical ports and 
[par.0005] two or more fiber optic cables). 

Regarding claim 27 in view of claim 21, Richmond discloses "wherein the 
physical communication ports is a USB port" ([par.0006] discloses a plurality of 
physical ports capable of). 

Regarding claim 28 in view of claim 21, Richmond discloses "wherein the 
physical communication port is wireless" (user device maybe connected to the entry 
port module by any of a variety of transmission media including wireless or wired 
based medium[par.0192]). 

Regarding claim 29 in view of claim 21, Richmond discloses "wherein the client 
agent is associated with the security policy by loading the security policy into the client 
agent" (physical port must receive/load from a device used by the user and rule 
application logic to apply one or more packet rules to the received packet before 
using any of the network resources [par.0052]). 

Regarding claim 30 in view of claim 21, Richmond discloses "wherein the 
security manager is operable to verify that the security policy loaded into the client 
agent has not been modified" ((authentication module[Fig.15/item1 506] also see 
rule database [Fig. 15/iem 1514]). 

Regarding claim 31 in view of claim 21, Richmond discloses "wherein the client 
agent is further operative to transmit a report to a security server, the report identifying 
events that occurred with the computer in view of the security poWcy" (user information 
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about the user is stored on a computer readable medium residing on 
communication networl< [par.0067]). 

Regarding claim 32 in view of claim 21, Richmond discloses "wherein the client 
agent is operable to analyze the data based on a higher level protocol that is associated 
with the hardware device, wherein the hardware device is selected from a group 
consisting of flash memory, removable hard disk drive, floppy disk, writable CD ROM, a 
PDA, a cellular phone, a WiFi dongle and a Bluetooth dongle" (port processing iogic 
maybe configured to forward configured paciiet tiirougti port connecting medium 
and port moduie to anottier destination on ttie network[par.0249] additionaiiy 
(types of devices may Include but are not limited too PDA's , Blackberry, laptops, 
personal computers [par.0016]). 

Regarding claim 33 in view of claim 21, Richmond discloses "wherein the client 
agent is operable to analyze the data based on a higher level protocol that is associated 
with an application selected from a group consisting of synchronization applications for 
PDA, Java applications for synchronization with cellular phone, backup storage 
applications, Bluetooth and WiFi protocols" (port processing logic maybe configured 
to forward configured packet through port connecting medium and port module 
to another destination on the network[par.0249] additionally (types of devices 
may include but are not limited too PDA's , Blackberry, laptops, personal 
computers [par.0016]). 
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Regarding claim 34, Ridimond discloses "a computer having installed thereon a 
module operative to: obtain at least a portion of a data transfer passing through at least 
one physical communication port of the computer" (port configuration iogic to 
configure the port module witti one or more pacicet rules corresponding to the 
user [par.0046]); "analyze said at least a portion of the data transfer according to a 
communication protocol associated with the at least one physical communication port" 
(authentication iogic to authenticate identity where the configuration iogic is 
operative to configure the port module in response to authentication [par.0047] 
also see rule application logic [par.0048]); "and determine whether the data transfer 
is allowable based:, at least in part, on the analysis of the at least a portion of the data 
transfer and a security policy" (authentication module controls accessing stored 
user Information to determine if the Identification matches that of received 
packet, and to determine assigned role from stored user information if it is 
determined that the stored identification information matches received 
information [par.0064]), "and, if not determining whether the data transfer is allowable, 
then store the at least portion of the data transfer in a buffer associated with the data 
transfer and wait for a subsequent data portion and, if determining the data transfer is 
allowable, then transferring the at least a portion of the data transfer with data stored in 
the associated buffer, if any exist, toward or from the physical communication port" 
"(authentication module controls accessing stored user information to determine 
if the identification matches that of received packet, and to determine assigned 
role from stored user information if it is determined that the stored identification 
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information matches received information [par.0064]). 

Regarding claim 35 in view of claim 10, Riclimond discloses "wherein the device 
is a device selected from a group of devices consisting of flash memory, removable 
hard disk drive, floppy disk, writable CD ROM, a PDA, a cellular phone, a WiFi dongle 
and a Bluetooth dongle" (types of devices may include but are not limited too 
PDA's, Blackberry, laptops, personal computers [par.001 6]). 

Regarding claim 36 in view of claim 1 , Richmond discloses "wherein determining 
whether a decision on whether to allow the data communication session may be 
reached is based on at least two data portions wherein at least one of said two data 
portions Is stored In said buiier" (authentication module controls accessing stored 
user information to determine if the identification matches that of received 
packet, and to determine assigned role from stored user information If It Is 
determined that the stored identification information matches received 
Information [par.0064]). 

Regarding claim 37 in view of claim 1 , Richmond discloses "wherein determining 
whether to allow the data communication session is based on at least two data portions 
wherein at least one of said two data portions is stored in said buffer" (authentication 
module controls accessing stored user information to determine If the 
identification matches that of received packet, and to determine assigned role 
from stored user information if it is determined that the stored identification 
information matches received information [par.0064]). 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL ANDERSON whose telephone number is 
(571)270-5159. The examiner can normally be reached on Monday-Friday Sam til 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, VIVEK SRIVASTAVA can be reached on (571)272-7304. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

MICHAEL ANDERSON 
Examiner, Art Unit 2433 
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/Vivek Srivastava/ 

Supervisory Patent Examiner, Art Unit 2433 



